1. Field of the Invention
The present invention relates generally to data networks and, more particularly, to identifying sources of network attacks.
2. Description of Related Art
Network attacks, such as distributed denial of service (DDoS) attacks, present unique source identification and tracking problems for a service provider. At the victim's location, an attack may be discovered when hundreds or thousands of compromised systems initiate a surge of packets with the destination address of one or more servers within the victim's network. The intent of these packets may be to crash the victim(s) servers (as with a SYN attack), consume all bandwidth between the victim and the Internet, or reduce the ability of the victim to provide its intended service.
A properly constructed DDoS attack may overwhelm computer and network systems at the victim's network and may only require a few hundred attacking systems to knock a large network off the Internet. The use of multiple attacking systems at multiple sites significantly increases the amount of time needed to fully identify the sources of the attack and stop the attack.
Conventional approaches to locating the sources of a DDoS attack take a considerable amount of time and have a number of drawbacks. For example, once an attack has been detected, the victim and/or the service provider may attempt to identify the sources of the attack via a manual process involving capturing packets at the closest router to the victim. An operator may then try to trace the sources of these packets to identify their origination point. Since source addresses can be spoofed, however, it may be difficult to determine the actual sources of the attack. The operator may then attempt to manually backtrack to those routers that forwarded the packet to the service provider serving the victim, based on the interfaces on which the attack arrived. This backtracking operation is typically performed recursively until the source routers are identified. One drawback with this approach is that hop-by-hop backtracking is a time consuming process.
Other conventional approaches associated with source identification and mitigation of DDoS attacks include black hole routing, sink hole routing, and backscatter. In black hole routing, a border gateway protocol (BGP) route is used to indicate that all traffic destined to the attack target should be dropped at the ingress. This quickly removes the traffic from the service provider's backbone, but does not identify the sources of the attack. In addition, legitimate traffic is blocked from reaching the attack target.
In sink hole routing, a BGP route is used to indicate that all traffic destined to the attack target should be re-routed to a special device that can then analyze the traffic. However, if the source addresses are spoofed, the special device will be unable to identify the sources of the attack. This approach also requires that legitimate traffic be dropped.
Backscatter is similar to black hole routing, except it uses Internet Control Message Protocol (ICMP) unreachable messages to help identify the sources. The backscatter approach assumes the attacker is spoofing source addresses and that by advertising bogus routes internally, the service provider can attract some of these ICMP unreachable messages for analysis. If the attacker doesn't use address spoofing, or spoofs from valid Internet addresses, all of the ICMP messages will be sent back to the attacker or to other points on the Internet and cannot be analyzed. This technique also requires that legitimate traffic destined to the attack target be dropped while the attack is analyzed.
Each technique described above takes the approach of denying all traffic destined to the victim. In essence, each of these approaches effectively says that if the victim is already off-line as a result of the attack, these mechanisms for tracing the attack will not negatively impact the victim's current situation.
Therefore, there exists a need for systems and methods that identify sources of Internet attacks so that the attacks can be thwarted, while allowing customer interfaces with legitimate traffic to be unaffected.